diff --git a/debug/src/RetrieveCertificate.hs b/debug/src/RetrieveCertificate.hs
index 0f36246..87273fa 100644
--- a/debug/src/RetrieveCertificate.hs
+++ b/debug/src/RetrieveCertificate.hs
@@ -1,7 +1,7 @@
 {-# LANGUAGE ScopedTypeVariables, DeriveDataTypeable, ViewPatterns #-}
 
 import Network.TLS
-import Network.TLS.Extra
+import Network.TLS.Extra.Cipher
 
 import Network.BSD
 import Network.Socket
@@ -10,7 +10,6 @@ import Data.Default.Class
 import Data.IORef
 import Data.X509 as X509
 import Data.X509.Validation
-import System.X509
 
 import Control.Applicative
 import Control.Monad
diff --git a/debug/src/SimpleClient.hs b/debug/src/SimpleClient.hs
index 7094f71..5c56371 100644
--- a/debug/src/SimpleClient.hs
+++ b/debug/src/SimpleClient.hs
@@ -3,7 +3,7 @@
 import Network.BSD
 import Network.Socket (socket, Family(..), SocketType(..), sClose, SockAddr(..), connect)
 import Network.TLS
-import Network.TLS.Extra
+import Network.TLS.Extra.Cipher
 import System.Console.GetOpt
 import System.IO
 import System.Timeout
@@ -42,7 +42,6 @@ runTLS debug params hostname portNumber f = do
     let sockaddr = SockAddrInet portNumber (head $ hostAddresses he)
     E.catch (connect sock sockaddr)
           (\(e :: SomeException) -> sClose sock >> error ("cannot open socket " ++ show sockaddr ++ " " ++ show e))
-    --dsth <- socketToHandle sock ReadWriteMode
     ctx <- contextNew sock params rng
     contextHookSetLogging ctx logging
     () <- f ctx
@@ -68,17 +67,11 @@ getDefaultParams flags host store sStorage session =
                              , sharedValidationCache = validateCache
                              }
         }
-        --, onCertificatesRecv = crecv
-        --}
     where
             validateCache
                 | validateCert = def
                 | otherwise    = ValidationCache (\_ _ _ -> return ValidationCachePass)
                                                  (\_ _ _ -> return ())
-            --checks = defaultChecks (Just host)
-            --crecv = if validateCert
-            --            then certificateChecks checks store
-            --            else certificateNoChecks
 
             tlsConnectVer
                 | Tls12 `elem` flags = TLS12
diff --git a/debug/src/Stunnel.hs b/debug/src/Stunnel.hs
index a461e63..5598ff0 100644
--- a/debug/src/Stunnel.hs
+++ b/debug/src/Stunnel.hs
@@ -8,6 +8,7 @@ import System.Console.GetOpt
 import System.Environment (getArgs)
 import System.Exit
 import System.X509
+import Data.X509.Validation
 
 import qualified Data.ByteString as B
 import qualified Data.ByteString.Lazy as L
@@ -23,7 +24,7 @@ import Data.Default.Class
 
 import qualified Crypto.Random.AESCtr as RNG
 import Network.TLS
-import Network.TLS.Extra
+import Network.TLS.Extra.Cipher
 
 import qualified Crypto.PubKey.DH as DH ()
 
@@ -177,15 +178,14 @@ doClient source destination@(Address a _) flags = do
                          }
 
     store <- getSystemCertificateStore
-    {-
-    let checks = defaultChecks (Just a)
-    let crecv = if not (NoCertValidation `elem` flags)
-                then certificateChecks checks store
-                else certificateNoChecks
-    -}
-    let clientstate = (defaultParamsClient "" B.empty)
+    let validateCache
+           | NoCertValidation `elem` flags =
+                ValidationCache (\_ _ _ -> return ValidationCachePass)
+                                (\_ _ _ -> return ())
+           | otherwise = def
+    let clientstate = (defaultParamsClient a B.empty)
                         { clientSupported = def { supportedCiphers = ciphers }
-                        , clientShared    = def { sharedCAStore = store }
+                        , clientShared    = def { sharedCAStore = store, sharedValidationCache = validateCache }
                         }
 
     case srcaddr of
@@ -200,6 +200,7 @@ doClient source destination@(Address a _) flags = do
 
                 dsth <- socketToHandle dst ReadWriteMode
                 dstctx <- contextNew dsth clientstate rng
+                contextHookSetLogging dstctx logging
                 _    <- forkIO $ finally
                     (tlsclient srch dstctx)
                     (hClose srch >> hClose dsth)
diff --git a/debug/tls-debug.cabal b/debug/tls-debug.cabal
index 9b0e294..b9a7d86 100644
--- a/debug/tls-debug.cabal
+++ b/debug/tls-debug.cabal
@@ -26,7 +26,6 @@ Executable           tls-stunnel
                    , data-default-class
                    , crypto-pubkey
                    , tls >= 1.2 && < 1.3
-                   , tls-extra >= 0.7.0 && < 0.8
   if os(windows)
     Buildable:       False
   else
@@ -42,7 +41,6 @@ Executable           tls-stunnel
 --                    , cprng-aes
 --                    , x509-system >= 1.0
 --                    , tls >= 1.2 && < 1.3
---                    , tls-extra >= 0.7 && < 0.8
 --   Buildable:         True
 --   ghc-options:       -Wall -fno-warn-missing-signatures
 
@@ -60,7 +58,6 @@ Executable           tls-retrievecertificate
                    , x509-system >= 1.4
                    , x509-validation >= 1.5.0
                    , tls >= 1.2 && < 1.3
-                   , tls-extra >= 0.7 && < 0.8
   Buildable:         True
   ghc-options:       -Wall -fno-warn-missing-signatures
 
@@ -74,7 +71,6 @@ Executable           tls-simpleclient
                    , cprng-aes >= 0.5.0
                    , x509-system >= 1.0
                    , tls >= 1.2 && < 1.3
-                   , tls-extra >= 0.7 && < 0.8
   Buildable:         True
   ghc-options:       -Wall -fno-warn-missing-signatures